CVE-2024-25132: 
vulnerability analysis and mitigation

A vulnerability (CVE-2024-25132) was discovered in the Hive hibernation controller component of OpenShift Dedicated. The vulnerability was disclosed on March 19, 2025, and affects the OpenShift Dedicated platform. This flaw received a CVSS v3.1 base score of 4.3 (Medium) and is classified as CWE-400 (Uncontrolled Resource Consumption) (Red Hat CVE).

The vulnerability exists in the ClusterDeployment.hive.openshift.io/v1 resource handling. The flaw allows the resource to be created with the spec.installed field set to true, regardless of the installation status, along with a positive timespan for the spec.hibernateAfter value. When combined with a ClusterSync.hiveinternal.openshift.io/v1alpha1 resource, the hive hibernation controller enters a reconciliation loop that leads to a panic when attempting to access a non-existing field in the ClusterDeployment's status section. The vulnerability has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (Red Hat CVE, NVD).

The vulnerability results in a denial of service condition. When exploited, it causes the hive hibernation controller to enter a panic state, leading to a persistent denial of service. The issue affects the availability of the Hive controller services, as the problematic resources trigger a crash loop upon pod restart (Bugzilla).

Red Hat Product Security has not provided a recommended mitigation at the time of disclosure. Users are advised to update to a patched version once it becomes available (Red Hat CVE).

The vulnerability was discovered by Thibault Guittet from Red Hat, demonstrating the company's internal security research efforts (Red Hat CVE).